From b6c243615eb49bb1c579bfe4db9105fb79f81b5a Mon Sep 17 00:00:00 2001
From: Justin Hall <justinha@microsoft.com>
Date: Wed, 17 Apr 2019 07:43:58 -0700
Subject: [PATCH 1/3] fixed startup key text

---
 .../bitlocker/bitlocker-group-policy-settings.md          | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index eb5cdc5d4b..0b3297ec31 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -13,7 +13,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/16/2019
+ms.date: 04/17/2019
 ---
 
 # BitLocker Group Policy settings
@@ -238,11 +238,11 @@ This policy setting is used to control which unlock options are available for op
  
 **Reference**
 
-If you want to use BitLocker on a computer without a TPM, select the **Allow BitLocker without a compatible TPM** check box. In this mode, a USB drive is required for startup. Key information that is used to encrypt the drive is stored on the USB drive, which creates a USB key. When the USB key is inserted, access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, you need to use one of the BitLocker recovery options to access the drive.
+If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
 
-On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use:
+On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use:
 
--   only the TPM for authentication
+-   only the TPM
 -   insertion of a USB flash drive containing the startup key
 -   the entry of a 4-digit to 20-digit personal identification number (PIN)
 -   a combination of the PIN and the USB flash drive

From 7ed6b33fcd34fd1a55309c875a7564dc342a2640 Mon Sep 17 00:00:00 2001
From: Justin Hall <justinha@microsoft.com>
Date: Wed, 17 Apr 2019 09:07:00 -0700
Subject: [PATCH 2/3] revised differences section

---
 .../create-wip-policy-using-intune-azure.md                 | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 884f52875c..38a86efebf 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -11,10 +11,10 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/12/2019
+ms.date: 04/17/2019
 ---
 
-# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
+# Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
 
 **Applies to:**
 
@@ -25,6 +25,8 @@ Microsoft Intune has an easy way to create and deploy a Windows Information Prot
 
 ## Differences between MDM and MAM for WIP
 
+You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences: 
+
 - If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
 - MAM supports only one user per device.  
 - MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).

From 3b556ae012a3ec952df657f12e10082f3a1894f3 Mon Sep 17 00:00:00 2001
From: Justin Hall <justinha@microsoft.com>
Date: Wed, 17 Apr 2019 10:16:00 -0700
Subject: [PATCH 3/3] revised GP location

---
 ...your-organization-for-bitlocker-planning-and-policies.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index e6b09cec2e..86ebe29111 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -13,7 +13,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 04/17/2019
 ---
 
 # Prepare your organization for BitLocker: Planning and policies
@@ -163,9 +163,9 @@ Full drive encryption means that the entire drive will be encrypted, regardless
 
 ## <a href="" id="bkmk-addscons"></a>Active Directory Domain Services considerations
 
-BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting to enable backup of BitLocker recovery information:
+BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting for each drive type to enable backup of BitLocker recovery information:
 
-Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Turn on BitLocker backup to Active Directory Domain Services
+Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker protected drives can be recovered.
 
 By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/).